opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-22 18:08:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

Don't setup AppArmor provile for privileged pods

Browse Source 
This is essentially db218e7162c2 forward-ported to specgen

Signed-off-by: Ralf Haferkamp <rhafer@suse.com>
This commit is contained in:
Ralf Haferkamp
2020-07-10 17:47:22 +02:00
parent d9cd0032f7
commit b3f15c09cd
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/podman/common/specgen.go
View File

@ -525,8 +525,10 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string
s.ContainerSecurityConfig.SelinuxOpts = append(s.ContainerSecurityConfig.SelinuxOpts, con[1]) s.ContainerSecurityConfig.SelinuxOpts = append(s.ContainerSecurityConfig.SelinuxOpts, con[1])
s.Annotations[define.InspectAnnotationLabel] = strings.Join(s.ContainerSecurityConfig.SelinuxOpts, ",label=") s.Annotations[define.InspectAnnotationLabel] = strings.Join(s.ContainerSecurityConfig.SelinuxOpts, ",label=")
case "apparmor": case "apparmor":
if !c.Privileged {
s.ContainerSecurityConfig.ApparmorProfile = con[1] s.ContainerSecurityConfig.ApparmorProfile = con[1]
s.Annotations[define.InspectAnnotationApparmor] = con[1] s.Annotations[define.InspectAnnotationApparmor] = con[1]
}
case "seccomp": case "seccomp":
s.SeccompProfilePath = con[1] s.SeccompProfilePath = con[1]
s.Annotations[define.InspectAnnotationSeccomp] = con[1] s.Annotations[define.InspectAnnotationSeccomp] = con[1]